Day 21

Create An Account on Have I Been Pwned

DAY 21: Create An Account on Have I Been Pwned

Welcome to Day 21 of my 30 day security challenge, the month long challenge I created to help you gain control of your privacy and security online. You can follow along with the security challenge via my blog at snubsie.com, where you can skip ahead or download a checklist of the challenge. Each video will also be curated into a playlist so it'll be easy to follow along from Day 1 all the way through 30 here on Youtube.

Today is all about Have I been Pwned. What is Have I Been Pwned? It's a website made by a security researcher Troy Hunt that can alert you of any company data breaches where your information was potentially stored. HaveIBeenPwned.com formed after a big breach where usernames and passwords for a website were posted on the internet by an attacker. So then, anyone with the know how or the link could view this data and use it against the folks that had their credentials stolen.

So what is a breach? This is where a company, a website, a place where data is stored, is hacked and data stolen by an attacker. The attacker then puts that data online for the world to see, usually at the behest of the company who runs the site and it's users, since all of their usernames and passwords are now public. Other attackers will take this readily available information and try to reuse it on other sites to easily steal money or more data, or takeover accounts. This is why it is so important to use a different password on each site, and use 2FA wherever possible.

HaveIBeenPwned.com takes all these breaches and puts the data together to figure out exactly how many user accounts were publicized, and it alerts you of any breaches that you were a victim of. It quite simply scrubs through a slew of breach data looking for your email address or usernames and if it finds a match, it emails you and says "You were a part of this breach! You should change your password immediately!" or something similar. The site doesn't store passwords. Each breach is verified by Troy before being added to the growing list on HIBP. Troy Hunt built this site as a service to the security community and consumers, and I find it valuable when needing to know if my username or email address was found in any breaches.

To use the site, go to haveIbeenpwned.com and click on Notify Me from the menu. Enter your email address, or addresses if you have multiple, verify you aren't a robot, and click Notify me of pwnage. Setting this up will alert you in the future of any breaches with your email address in it. If you want something a bit quicker, go to the main page, and type in your email address. Click "Pwned?" and check the information listed below the entry. This page will list any breaches your email account was found in along with any documents pasted online with your email in it. Once you see some breaches, don't panic. What you should do is go to each of the sites listed and change your password, and if you have the option, turn on 2 factor authentication. While you can't do much to keep a company from getting hacked, you can keep yourself from getting hacked by updating your pw and 2fa, so even if someone found these public breaches, they wouldn't be able to do anything with your data. Also, if you had previously reused the passwords from any of these breaches on another site, you'll need to update the password on that site as well.

Personally, I love HaveIBeenPwned.com. I constantly sign up for sites here and there specifically for testing things on my shows, so I have tons of accounts on sites that I don't have good records of. So if any of them get hacked, I know that HIBP will alert me of anything that happens publicly involving my accounts or usernames.

Day 21 is now complete! Tomorrow is all about email security and privacy. But first, make sure to subscribe on youtube and hit up snubsie.com for the downloadable checklist and to skip ahead on the 30 day security challenge. Again, I'm Shannon Morse and I'll see you tomorrow for day 22!